Regulations take many forms, depending upon the industry, the region, and the type of data being protected, but one thing is consistent among them: Regulators frown on poor data-protection practices.
Compliance can be a chore, and many organizations try to minimize the pain by taking a “one and done” approach. They go through all the necessary steps once and then walk away, assuming the job is done.
Unfortunately, cybercriminals don’t agree. Their tactics are always changing, as are the types of data they seek to steal.
Take healthcare records. It’s safe to say that when U.S. healthcare organizations implemented the Health Insurance Portability and Accountability Act (HIPAA) compliance plans a decade ago, they didn’t expect that these records would become such a hot commodity. And until recently criminals didn’t bother much with them, preferring to pilfer credit card and bank account numbers instead. But as financial institutions have turned up their defenses, crooks have discovered that there’s gold in medical data and even an entire hidden data economy for stolen medical data.
More than 100 million healthcare records were stolen last year, an 11,000% increase over 2014. It turns out that those data troves often contain Social Security numbers, credit card data, and insurance information, which can be used to fraudulently dispense prescriptions and pay for operations. Stolen credit cards go for a couple of dollars on the black market, but insurance records can command $60 each.
With the rise of state-sponsored hacking, new types of healthcare information have also come into play. For example, field trial data about new medications is now a prime target for hackers engaged in corporate espionage or biological warfare. Five years ago, that wasn’t a major issue.
Tactics also change. Few people had even heard of ransomware three years ago; today it’s one of the leading forms of malware. Ransomware is primarily spread through phishing attacks, which demands that organizations exercise increased vigilance with email filtering.
New regulations are raising the bar on compliance. The European Union’s General Data Protection Regulation (GDPR) promises strict rules for protecting data and disclosing data breaches – and hefty fines for noncompliance. While the GDPR doesn’t go into effect until 2018, any organization that does business in Europe needs to begin preparing now for the upcoming changes.
What to Do
Compliance tactics for safeguarding data must adjust for this new reality. Most regulations are unspecific about how data should be protected, which is both a good and a bad thing. The positive is that your organization has some flexibility in implementing protections. The negative is that there’s no way to get inside the minds of regulators who come calling for an audit.
A few basic tactics will serve you well.
- Work closely with your legal counsel and internal auditors to understand any specific rules that apply to your company or industry. They shouldn’t be shy about calling up regulators for guidance.
- Scan your inventory to see what kind of information you have. If credit card numbers or Social Security numbers are in your files, you’ll need to protect them. Ignorance is not an excuse, and auditors will give you points for having done this spade work.
- Match protection measures to the data. For example, names and ages may not need to be protected as carefully as financial records and insurance account numbers. Encrypting or tokenizing sensitive data is a good step, but be sure any accounts that have access to encryption keys or tokens are secured with two-factor authentication. The first thing attackers look for is password files.
- Use data loss prevention (DLP) to automatically discover and classify information. DLP software can be set to issue warnings, challenges, or outright denials to requests for data. It’s a particularly useful tool for preventing disclosure – whether intentional or not – by insiders.
- Make compliance part of someone’s job. Adherence demands paying close attention to trends and vulnerabilities. One or more people should be accountable for tracking these changes. Auditors will appreciate that when they come to call.